Factoring 51 and 85 with 8 qubits 
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We construct simplified quantum circuits for Shor's order-finding algorithm for composites A^ 
given by products of the Fermat primes 3, 5, 17, 257, and 65537. Such composites, including the 
previously studied case of 15, as well as 51, 85, 771, 1285, 4369, . . . have the simplifying property that 
the order of a modulo N for every base a coprime to A is a power of 2, significantly reducing the 
usual phase estimation precision requirement. Prime factorization of 51 and 85 can be demonstrated 
with only 8 qubits and a modular exponentiation circuit consisting of no more than four CNOT gates. 



I. ORDER FINDING AND FERMAT PRIMES 

Shor's prime factoring algorithm 1] reduces the fac- 
torization of a product N = pp' of distinct odd primes 
p and p' to that of finding the order r of a mod N for a 
randomly chosen base a coprime to N (with 1 < a < N) , 
which can be performed efficiently with a quantum com- 
puter. The standard implementation [2| factors a &-bit 
number with 3b qubits using a circuit of depth 0{b^); 
alternative modular exponentiation circuits can be used 
to reduce either the space (qubit number) [3| or time [J| 
requirements. The case N — 15, which has the simpli- 
fying property that all orders are powers of 2, has been 
demonstrated experimentally by several groups M, 5|-|8||. 
Recent experiments have also factored A^ = 21 0,IiO| and 

128 [nl. 



In this paper we consider the application of Shor's al- 
gorithm to products of special primes of the form 



Pk=2'^+1 with fc = 0,1,2,3,4. 



Explicitly, 



p = 3, 5, 17, 257, and 65537. 



(1) 



(2) 



Fermat proposed that numbers of the form 2^ -I- 1 for 
any k = 0, 1, 2, ... , (called Fermat numbers) are prime; 
however it is now known that the Fermat numbers with 
5 < fc < 32 are not prime, and it is not known whether 
there are additional primes of this form for larger values 
of fc. 

Products of the form 
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iV^pfcPfc. == (2^" +1)(22' +1), with fc,fc' e {0,1,2,3,4} and k ^ k' 
= 15, 51, 85, 771, 1285, 4369, 196611, 327685, 1114129, and 16843009 



(3) 



have the special property that the order of amod A^ for every base a coprime to A^ is a power of 2. This follows from 
Euler's theorem. 



a'^('')mody = l. 



(4) 



where y is a positive integer, (j){y) is the number of positive integers less than y that are coprime to y, and gcd(a, y) = 1. 
When p and p' are odd primes, all pp' — 1 positive integers less than pp' are coprime to pp' except for the p—1 multiples 
of p' and the p' — 1 multiples of p, and these exceptions are distinct, so 



Hpp') - pp' - 1 - (p - 1) - (p' - 1) = (P - l)(p' - 1). 
This result also follows from Euler's product formula. Thus, 

a(p-i)(p'-i)inodpp' = l. 



(5) 



(6) 



Recall that the order r of a mod A^ is the smallest positive integer x satisfying a^ mod A^ = 1; therefore for a composite 
of the form (|3]) , 



^(N) = (pfc - l)ipk' - 1) = 2 



2+2 



(7) 



must be a multiple of r. Because r must be an integer, we conclude that for any 1 < a < A^ with gcd(a, A^) = 1, r is 
a power of 2 as well. 

I 

II. SPACE REQUIREMENTS AND CIRCUIT has m. The modular exponentiation operator in Fig. [1] 

CONSTRUCTION 



The standard [2| order-finding circuit is shown in 
Fig. [TJ The first register has n qubits and the second 
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FIG. 1. Basic quantum circuit for order finding. Here n = 2fe 
and m = b, where b = [logj A''] is the number of bits in A^. 



acts on computational basis states as 

|xiX2 • • •a;„)(g)|0- • • 1) -^ |a;ia;2 • • • a;„}® ja"^ mod A^), (8) 
where 









(9) 



After the inverse quantum Fourier transform, measure- 
ment of the first register is done in the diagonal basis. 
The probability to observe the value 



IS 



prob(x 



xe {0,1,. ..,2"-!} 
sin2(7rrxA/2") 



2"ylsin^(7rra::/2")' 



(10) 



(11) 



where r is the order and A is the number of distinct 
values of x such that a^ mod N has the same value (this 
is approximately 2"/r). This probability distribution has 
peaks at integer values of x near 
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with J = 0, 1, • 



1. 



(12) 



The number of qubits n in the first register is chosen to 
enable reliable extraction of the value of r in ([T^ , which 
depends on whether or not r is a power of 2. In actual 
applications of Shor's algorithm this will not be known, 
of course, as the point of the quantum algorithm is to 
determine r. In this usual situation, measurement will 
yield (with prob > 4/7r^) an x satisfying 



<^ with je{0,i,- 



,r-l}. (13) 



By choosing n = 2b qubits in the first register, where b = 
[log2 N~\ , we are guaranteed that j/r will be a (continued 



fraction) convergent of x/2'^. However, for the family of 

composites TV = (2^ + 1)(2^ + 1) considered here, all 
bases have orders 



2^ with £e {1,2,3,. 



c}, 



A- 



2" 



(14) 



(15) 



and the peaks (|12p in (|lip occur at integral values 

x = 0, 2"-^ 2 X 2"-^ • • • , (r - 1) X 2"~^. (16) 
Therefore, as long as we have 

n = ^max (17) 

qubits in the first register we will be able to determine 
r, possibly after a small number of repetitions. The sim- 
plest way to extract r from x here (assuming x 7^ 0) is 
to simplify the ratio 
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(18) 



down to an irreducible fraction, which will yield both j 
and r [recall (|12p ] unless they have happen to have a 
common factor. 

Next we discuss the value of ^max (which determines 
the largest order 2^™='=') for a given composite N. We do 
not have an explicit formula for ^max- However, when 
A'^ is a product of distinct odd primes, r can be as large 
as (j}{N)/2 [l2|, so for an N of the form ([3]) we have the 
bound [see ^] 



1. 



(19) 



For example, in the case of iV = 51 {k — 0, k' — 2), the 
largest order is 2 = 16, and the upper bound is realized. 
However for 7V = 85 (fc = 1, fc' = 2), it is not (the largest 
order present is 16, not 32). 

The second register stores the values of 



i^modiVe {0,1,--- ,iV-l} 



(20) 



and therefore normally requires b qubits. However, for 
a given a, only r of these values are distinct. Thus we 
can use fewer than b qubits. This simplification, while 
not essential, has been used in all gate-based factoring 
demonstrations to date. The reduction amounts to com- 
puting a table of values of a^ mod N classically for a given 
base a, constructing a corresponding quantum circuit, 
and ignoring or eliminating unused qubits in the second 
register. We note that in addition to being unscalable, 
this method of constructing the modular exponentiation 
operator implicitly or explicitly uses the value of the or- 
der r, i.e., the answer which the quantum computation 
is supposed to determine [1^. We will discuss this issue 
further in Sec. II VI 
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FIG. 2. Circuit to copy the first register to tiie second. 



In this work we will adopt an equivalent — but per- 
haps more systematic and transparent — modular expo- 
nentiation circuit construction: We follow the output of 
a^ mod A^ by a second transformation 
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a^ mod N — 
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(21) 



a^ ^ mod A^ 



which maps the r distinct values of a^ mod N to 
0, 1, . . . , r - 1. In dH]) we assume that 1 < a < A^. We 
refer to this classical pre-processing of a^ mod N as com- 
pression. Compression does not adversely affect the op- 
eration of the order- finding circuit, but reduces m from b 
to £max in a systematic manner (and generalizes the "full 
compilation" method of Ref. Q.) 

Note that any set of r distinct non-negative integers — 
in any order — could be used for the output of the com- 
pression map (|2ip . However the choice employed here, 
and indicated in (|2ip . is especially simple because it can 
be compactly written as 



a^ mod N ^ X mod r{a). 



(22) 



Then, after changing the initial state of the second reg- 
ister from |00 • • • 1) to |00 • • • 0), we have, instead of ([5]), 
the compressed modular exponentiation operation 



|x) (g) |0---0) -> \x) (g) Ixmodr). 



(23) 



IV. CONCLUSIONS 

Given the considerable interest in experimental demon- 
strations of Shor's algorithm, it is reasonable to ask what 



The operation (1231) without the modulo r is just the bit- 
wise COPY shown in Fig. [51 and the effect of the modulo 
r is to only copy the log2 r least significant bits. 

In conclusion, we require ^max qubits in each register, 
for a total of 2£max qubits. ^max can either be computed 
classically or the bound p^ can be used. We note that 
the space requirements can be further reduced by using 
iterative phase estimation [14-16], but with an increase 
in circuit depth. This might be useful for ion-trap and 
optical realizations but probably not for superconducting 
qubits. 

III. FACTORING 51 AND 85 

In this section we provide explicit quantum circuits for 
the cases of TV = 51 and 85. In both cases £max = 4 (the 
largest order is 16), so we require n = 4 qubits in the 
first register and m = 4 in the second, for a total of 8 
qubits. This is significantly fewer than the 35 required 
for general 5-bit numbers (5 = 6 when TV = 51 and 5=7 
when iV = 85). It is also fewer than the 25 4- 3 qubits 
required by Beauregard [3]. 

After the compression discussed in Sec. |TT1 only four 
different circuits are needed to cover all iV = 51 and iV = 
85 cases, because there are four possible orders. The 
assignments are listed in Tables HI and HIl and the circuits 
are given in Figs. |3^-d. 



TABLE I. A'^ = 51 quantum circuits. The base marked by an 
asterisk satisfies a""'^ = — Imod A^ and will result in a factor- 
ization failure in the classical post-processing analysis. 



base a 


circuit 


16, 35, 50* 


Fig.EK 


4, 13, 38, 47 


Fig.Eb 


2, 8, 19, 25, 26, 32, 43, 49 


Fig.Et 


5, 7, 10, 11, 14, 20, 22, 23, 28, 29, 31, 37, 40, 41, 44, 46 


Fig. Hi 



TABLE II. N = 85 quantum circuits. Bases marked by an 
asterisk satisfy a''" = — ImodAf and result in factorization 
failures in the classical post-processing analysis. 



base a 


circuit 


16, 69, 84* 


Fig. EH 


4, 13*, 18, 21, 33, 38*, 47*, 52, 64, 67, 72*, 81 


Fig. [St 


2, 8, 9, 19, 26, 32, 36, 42, 43, 49, 53, 59, 66, 76, 77, 83 


Fig.[3t 


3, 6, 7, 11, 12, 14, 22, 23, 24, 27, 28, 29, 31, 37, 39, 41, 
44, 46, 48, 54, 56, 57, 58, 61, 62, 63, 71, 73, 74, 78, 79, 82 


Fig.[3li 
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constitutes a "genuine" demonstration of this important 
algorithm, and whether the cases presented here should 
be considered as such. In our opinion a genuine imple- 
mentation should use no knowledge of the value of the 
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FIG. 3. Quantum circuits for factoring 51 and 85. Note the modification of the input to the last qubit of the second register 
compared with Fig. [l] The circuits inside dashed boxes are the compressed modular exponentiation operations discussed in 
Secini Note that the CNOT gates here can be executed in parallel. 



order i — including whether or not it is a power of two — 
because the objective of the quantum stage of the algo- 
rithm is to calculate r. Therefore we do not regard the 
factorization of products of Ferniat primes to be genuine 
implementations of Shor's algorithm. Moreover, such 
special cases can be efficiently factored classically, by 
comparing N against a list of products of these primes. 

However we do view the circuits presented here as 
quasi-legitimate implementations of quantum order find- 
ing, and in our view they are still interesting for this rea- 
son [l3[. In particular, each eight-qubit circuit presented 
here is able to detect periods of two, four, eight, and 
sixteen, so there is a failure mode where an incorrect pe- 
riod could be observed. But these genuine order-finding 
instances are nongeneric cases from the perspective of 
Shor's algorthm. 

Smolin, Smith, and Vargo [l3| recently addressed the 
question of what should constitute a genuine factoring 
demonstration by simplifying the entire order-finding cir- 
cuit for any product of distinct odd primes down to only 
two qubits. This is possible by implementing the phase 
estimation iteratively [1J-[16J (or the Fourier transform 



semiclassically iTsIl), and by choosing only bases a with 
order two. Smolin et al. [l7| show that with knowledge 
of the factors, it is always possible to find an order-two 
base, and provide an algorithm for doing so. The circuit 
of Smolin et al. does not constitute a genuine implemen- 
tation of Shor's algorithm either. However the focus of 
our work is different than Ref. [17], as the circuits pre- 
sented here are still quasi-legitimate implementations of 
order finding, and we do not make explicit use of the 
factors in simplifying the circuits. 

Finally, we note that the r — IQ cases (Fig. [3ji) re- 
sult in a uniform probability distribution for observing 
computational basis states \x) after measurement of the 
first register, which would also result from an unintended, 
purely decohering action of the CNOT gates jl9[. One 
method of verifying that the circuit is functioning cor- 
rectly is to perform tomography on the final state. A 
simpler method, however, is to change the input of the 
second register from |0)®'* to l-t-)*^*, as shown in Fig. |4l 
If the gates are purely decohering, this will not change 
the output of the first register upon measurement. But 
if the CNOTs are acting ideally, the entire compressed 
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FIG. 4. Changing the input states on the second register to 
verify coherent operation of the CNOT gates. 



modular exponentation operator now acts as the iden- 
tity [because |+) = 2^^/^(|0) + |1)) is an eigenvector of 
the NOT gate] and can be effectively dropped from the 
circuit, leading to an observation of the final state jOOOO) 
with unit probability. 

In conclusion, we have shown that the simple and well- 



studied case of factoring A''= 15 is the first in a series of 
cases 



15,51,85,771,1285,4369, 



(24) 



that have all orders equal to a power of two and that 
can be factored with fewer resources than that of other 
products with the same number of bits. 
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